The book I'm learning PHP from says that in order to prevent people using things like quotes to alter the query, you should use the real_escape_string function. The author then goes on to say that on some older systems, where magic quotes is enabled, using real_escape_string could end up double escaping some characters, so he creates this function:
<?php
function mysql_fix_string($conn, $string) {
if (get_magic_quotes_gpc()) $string = stripslashes($string);
return $conn->real_escape_string($string);
}
?>
Would it be okay to turn this into a method in an extended class of the mysqli class? (There isn't any real reason why I wanted to, other than that I wanted to pass in as few arguments as possible.)
If so, is this the right way to do it?
class mysqli_extended extends mysqli {
public function fix_string($string) {
if(get_magic_quotes_gpc()) {
$string = stripslashes($string);
}
return $this->real_escape_string($string);
}
}
And is this a situation where a static method makes more sense? If so, how could it be rewritten as a static method, and if not, then why?
Magic quotes has been deprecated as of php 5.3 and is removed in 5.4. I recommend learn php the right way